Ours was the first antivirus blog in the industry and many others have since followed our lead.

The members of the Security Lab have always been early adopters of technology, and blogging has proved itself to be an important connection to our customers, partners, and to the security community at large. Thank you for reading and participating.

So, it's OUR "birthday", but it's YOU that can receive a present. How about some of our laptop stickers?

Toni has generated a new list of potential domains for the month of February. The list reflects what we think to be the most common variant of Downadup in-the-wild. Click the image below to view the list.

Alberto Moreno Tablado has found an interesting vulnerability in the Windows Mobile 6 OBEX FTP service, in the Microsoft Bluetooth stack. It's used by devices such as the HTC TyTn II and other similar smartphones. Devices that use other Widcomm or other non-Microsoft Bluetooth stacks are not affected.

The vulnerability is a classical path traversal vulnerability, which means that an attacker can send path information along with the file name to the Windows Mobile device, and thus cause the file to be copied anywhere in device file system.

In theory this might be really serious vulnerability, as attacker could copy something to a location where the application would automatically start at next boot. But in practice, the vulnerability is of limited use for an attacker as it would require the victim to pair his phone, before OBEX FTP can be used. So this vulnerability has quite low exploitability.

The same basic caution that protects against other Bluetooth attacks also protects from this one.

Do not form Bluetooth pairs with devices that you do not fully trust. And if you are not using Bluetooth file sharing, do disable it from the Bluetooth FTP settings in Bluetooth connection settings.

Note: Our thanks goes to Dawid M. for directing us to Tablado's research.

We've been following news during the past few days regarding a possible rogue Android application, available in the Android market.

A number of forum discussions were focusing on an application called MemoryUp which is produced by eMobiStudio (emobistudio.com). There were reports of Android phones deleting information, sending spam to contact lists, and installing adware. All of this was supposedly done to the phone without permission by MemoryUp.

We did a bit of digging into the issue but couldn't verify any of the claims made about MemoryUp's maliciousness. We studied a couple of the versions that are readily available and none of them attempted to break anything on the Android platform nor did they attempt to do things other than what the application promises to do.

Google has investigated, and their spokeswoman stated: "In the versions we tested, MemoryUp cannot perform any of the malicious things it is reported to have done."

Putting it briefly, we are not the law, and as a publicly traded company bound by laws, we simply cannot act as vigilantes.

Why? Well, a few of the infected IP addresses that we have logged are registered to an army (or two), a navy, and few governments. We are certain that unauthorized use will most definitely not be appreciated.

However, we do NOT sit idly by.

Each and every day we collect data from our analysis and forward it to relevant law enforcement authorities, ISPs, partners, various CERTs, et cetera.

They are the ones that have the legal authority to take action within their territories.

As time passes, the number of estimated Downadup infections becomes more problematic to calculate as we are monitoring a varying number of domains. Re-infections may also be inflating the count. In any case, today seems better than the day before and we think that growth of Downadup has been curbed. Disinfection of the worm remains a challenge.

So let's look at Thursday's IP count, where are the infected computers?

Our sinkhole logged just over one million unique IP addresses yesterday. This is compared to 350,000 last Friday. Remember, there may be any number of computers sitting behind a single IP address.

China, Russia, and Brazil have the highest IP count. Combined, they account for nearly 41 percent of the total.

Links have been added recently, such as one to Microsoft's Knowledge Base Article 962007. The KB article include numerous details on manual disinfection. The Microsoft MSRT application was updated to scan for Downadup (alias Conficker) this month.

One important note: Downadup disables Automatic Updates, so updated versions of MSRT will need to be downloaded manually, it will not be automatically installed on infected machines.

Tomi, from our Customer Involvement Team, would like to point out that the latest version of ISTP (9.10 build 129) was released on January 14th. ISTP receives signature and engine updates from our beta update channel. So, the ISTP engine architecture will use our latest removal engine, which was released to beta today.

If you would like to try ISTP, you'll find more information from here. ISTP feedback enrolls users into prize giveaways.

We recently received another batch of our very popular laptop stickers, so as a bonus, we'll pass along a stack to Tomi.

Updated to add January 21st:

Yesterday we mentioned that the latest version of our removal engine was released to our beta update channel.

There is also a beta channel update of our scanning engine planned for tomorrow (the 22nd). Those testing previous builds of ISTP will also receive this updated scanning engine.

There are a number of improved features that have been implemented and we look forward to the feedback.

It is different than a DDoS "attack". Some, such as Arbor Networks, have dubbed it "The Tiger Effect".

June 2008's U.S. Open Golf Championship 19-hole playoff resulted in massive traffic spikes from those seeking real-time scores and streaming video feeds.

DDoS events are a massive focus of interest that sometimes take place on the Internet. They are something that greatly exceeds normal demand, and the result is a Denial of Service effect. Web servers just can't meet demand when focus points occur and the timing is not so easily predicted.

And even though DDoS events lack malicious intent, the results can often be just as painful as an attack…

Here's a recent example from two weeks ago: North Carolina's unemployment rate is at its highest level in 25 years, and a deluge of out-of-work people has strained the state's jobless systems to the breaking point. State [websites] have crashed twice in the past month as people apply or renew their employment benefits.

Downadup's autorun.inf file uses an action keyword and icon extracted from shell32.dll to produce the following:

The category is "Install or run program" but the text and icon are for "Open folder to view files".

The first option will run Downadup, not good. The second "general" option is the choice that will safely open the USB drive.

Being curious, we tried this autorun.inf with Windows 7:

And the results for Windows 7 were the same as Vista's:

Downadup attempts to disguise the installation option as an open folder action.

We would utilize Windows 7's "Send Feedback" link, but the lab's Windows 7 system is not connected to the Internet. It's being used to test our Client Security 8 application. Client Security 8 (Internet Security 2009, and some other recent releases) can generically detect Downadup's autorun file as Worm:W32/Downaduprun.A.

There's also been several posts to our blog comments, doubting our numbers. Here's some sample quotes:Kitschen: Yeah right! As if you could "estimate" infection to a precision of 10 machines. This is just PR. Your "special techniques" are at best able to estimate 100000.

wastedimage: This number looks like total guesswork. How did you go from ~100k ip's to 2.4 million boxes? I realize *some* might be nat but how many ? Did you just assume each ip really was some arbitrary number of vulnerable machines or something? Spreading FUD like this is incredibly unprofessional.

wastedimage: So your trusting the counter built into the bot itself which may be rigged to indicate larger numbers to entice spammers to pay more for its use. Sure that sounds like a solid plan.

So let us explain how we are generating the numbers.

There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them.

This is what the connections look like:

As you can see, this is a standard httpd log showing the IP address of the machines connecting our domains, the time stamp (the queries in the above image all come on the same second: 18:16:05 yesterday), actual query ("GET /search?q=29 HTTP/1.0"), and the User-Agent of the machine.

These are the raw connections coming to our sinkhole systems. Millions of them every day. When we sort these connections by source, we see hundreds of thousands of unique IP addresses every day (over 350,000 today).

It's hard to tell the real number of infections since NAT boxes and proxies tend to spoil the fun and Downadup doesn't include a unique identifier within the User-Agent string for us to see.

We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents.

So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully.

So this number tells us how many other computers this machine has exploited since it was last restarted. In the above log you can see one of the machines has exploited 116 computers.

Do bear in mind that this number only shows how many machines got infected via the MS08-067 exploit. Downadup spreads at least as much via network shares and USB sticks.

We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative.

And they are showing more than 8 million infected machines right now.

The situation with Downadup is not getting better. It's getting worse.

A malicious IFrame was inserted on the site sometime last week. The IFrame content directed visitors to install "updated" software. Remember, if you must update an application to take advantage of a new feature, it's always advisable to go directly to the vendor's website in order to install it. (Most of our regular readers already know this of course.)

The offending IFrame appears to have been removed at this time. You can read more about the compromise here and/or here.

The infection of "Paris Hilton" highlights a popular trend among online attackers. Hacking a (trusted) name worthy site can yield many new victims. It's worth the investment of time. So there really is no such thing as a trusted site 100% of the time.

They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.

They could build a large botnet for example. The framework is in place.

Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.

Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.

This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.

But we can play this game as well.

So we've determined the possible domains and have registered some of them for ourselves.

Which means the infected machines will also connect to us.

We could attempt to manipulate the infected machines. But of course we won't. In fact, we won't be doing anything at all to them – not even disinfect them – as that could be seen as "unauthorized use". That is illegal, at least in many jurisdictions. (Doing something without being asked is also a very large ethical question…) Look but don't touch is the golden rule.

But this looking and listening does gain us a unique visibility inside and we can see just how large the number of infected machines is.

A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.

Toni Koivunen from our Response Team has used some additional tricks to come up with an estimate on just how many infected machines there really are.

Toni's final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher.

It would make for one big badass botnet.

And where in the world are these infections? We're glad you asked. We resolved the IPs to countries and here are the results.

Number of IPs

Registered country of the IP

38,277

China

34,814

Brazil

24,526

Russia

16,497

India

14,767

Ukraine

13,115

Italy

11,675

Argentina

11,117

Korea

8,861

Romania

6,166

Indonesia

5,882

Chile

5,531

Taiwan

5,162

Malaysia

4,392

Germany

4,261

Philippines

3,958

United States

3,719

Colombia

3,307

Spain

3191

Thailand

2,871

Kazakhstan

2,828

Venezuela

2,685

Mexico

2,518

Europe (resolved to EU)

2,337

France

1,901

Bulgaria

1,789

United Kingdom

1,655

Pakistan

1,636

Turkey

1,544

Saudi Arabia

1,399

Hungary

1,389

Iran

1,272

Poland

1,259

Macedonia

1,193

Japan

1,052

Portugal

1,029

Vietnam

These are the raw unique IPs; you could think of this as China having 38,277 infected companies, not persons.

It's always a good idea to be ready for out-of-band updates. You can subscribe to Microsoft Security Notifications here.

Downadup has "old school" worm functionality (no user interaction required), the likes of which we haven't really seen for a while now. It also knows some current tricks; it's a worm that spreads via the Internet, local area networks, and removable media. While it doesn't seem to be gaining very much traction on the Internet, it's rapidly spreading once it's inside of local area networks that aren't patched.

Alright, that covers prevention — what about those of you that have infected computers within your networks?

Remember, Downadup is a network worm.

You must clean all of the computers within your network or else you risk reinfections. Servers first, then workstations. Disinfect, then use the manual Microsoft update to patch, then manually update your antivirus, and then do a full system scan for all files.

Downadup uses random extensions for some of its components so you'll need to scan all file types on the system once you have disinfected.

If you use one of our Anti-Virus products, you can download our manual updates from here.

We have a disinfection tool that may assist in your efforts. It can be download from here. It's a command line utility and you should carefully review the included readme.txt file.

Updated Note: Downadup disables connectivity to a large number of security sites, update channels, as well as Microsoft Updates. You should confirm that these connections are reestablished once the computer is clean.

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer).

Such malicious AUTORUN.INF files are easy to spot. Here's what they typically look like:

But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

So, that's binary garbage. Won't work. Right?

Look closer.

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk are comments and will be ignored by Windows. And of course, the file size and amount of binary junk is different every time.

Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the worm. The sites keep changing, but the current domains to block are:acqggcq.cnadbsq.netakgjmdzx.ccbclaxb.cnbdjtrpaav.ccbdrmppudqh.cnboirczdikw.combpufhbvqwjs.combwocsfviu.netbwtrd.netbxtopike.wsccgdllgwk.infoccolbxdud.comcdbhi.cncffcipqz.bizciopicmfq.infocjeyj.comcrikr.cndbizknbfyv.cndckhrrqh.comdjthknbtxe.ccdkvjxac.infodphxqdpp.cndrykouwoa.comdugnyfnxky.comdwikmnmhx.orgesujw.cneufiwwkplyc.cnevtwdavi.netevuqysnc.ccezkhbz.orgfhchak.orgfhioqvpdpg.infofhoptkn.orgfjxkmq.wsfnmhkizip.wsfnopiz.cnfnxklfyxdy.comgdneutxoi.ccgirirvjy.orggovagjcasyo.cngqjgx.cngwfnepcus.wshbkbc.bizhpmhoassp.orghrmwzqif.comhwmggrmzdsw.bizhxhpc.orgibifq.wsicbabdoo.orgigggellu.wsimaexvlmjn.orgipuuulsw.comitiuuv.cnitzbanmjbds.wsiuqmklmklbw.wsjfqlrlgf.bizjilpumzn.wsjjdifsh.netjnfcmmuhfum.wsjpgflwtu.netjqlmcfmdua.infojqmdyemnd.cnjufwmttx.netjzvpspdcv.cnkbrlxkiohfb.orgkcawyfgl.wskkvugfb.bizknpfuq.ccktveyekd.cnkuikq.orgkxsmffcsh.bizlejhfcdm.bizleyloenk.cclmcrkcuu.netlrkewik.netlrwnqgoj.bizmemsvr.commiyga.bizmmprans.wsmxvrtq.netnhmgtrmka.orgnmdrr.comnqnmjn.orgnwczso.ccnykyhzap.ccoawtwovet.ccoecsw.netomxzanan.wsovqoluqwhf.orgpakzqankxai.wspnaeydmg.orgpvfivnqgk.cnqauaiepfih.wsqdgvbkpopx.netqhdefcfkqg.ccqtjumbvk.wsquvjfczmd.netqvuycgw.netqwwnsrgii.cnqxdzbtgok.orgrcoesjhoii.inforrtvw.orgsedueat.ccsiirkijx.cnsjarftss.bizsnytwwp.ccsrfvt.comsrtbuvesjmy.orgthzydzvunfk.biztlxzjjlmk.orgtmegbpwamyr.wstnaqhezhswk.biztsamlnes.cctxibddqtpuj.ccudthrjtx.ccudyxa.infouikrzcuzw.comuuuwlcpzi.cnvbvvhgs.netvfdjkunysp.cnvhegpqfiga.ccvlfgk.infovrfouwsk.netvuvjptke.orgvxuiwtpqc.infovxuuur.bizwagwovomnj.netwbpciauakl.wswdgeaqrhk.netweekax.cnwpnmravf.ccwycqkpn.cnxakcypzbj.orgxbrpaahhcjl.orgxbtqz.comxfpzmkcl.ccxgdgxusdq.orgxihpmics.netxrbczsuyw.comxyywekmbuuq.netyagcjzafet.cnyjbslycn.orgykzoap.ccyrmek.ccyrmvbwbzlt.wsyryxdaecqwa.infoysuxkcv.comywictoyhzeu.wszdjmcwcknwn.bizzfrcc.orgzjcmnmrpwdp.infozrfdubsgmuq.netztyshleh.biz

We did some co-operation recently with a company called Clarified Networks. Some of you might remember them as the guys who did the *wow* visualization of the Kaminsky DNS hole for his Black Hat presentation.